Research: Compliance in the Cloud Era

Diana Kelley and Ed Moyle07/02/12

Shifting From Inward to Outward Focus

IT pros charged with keeping their companies in compliance with regulations face challenges that weren't even on the radar a few years ago. For a long time, compliance was about resource acquisition with the intent of implementing new controls in response to emerging regulation. However, changes in the way enterprises consume IT services--mainly cloud and expanded outsourcing relationships but also more partnerships--make both the security and regulatory compliance of external entities in the supply chain increasingly important. And that brings a whole new set of challenges.

To find out how we're coping, we surveyed 422 business technology professionals, all of whom qualified for our InformationWeek 2012 Regulatory Compliance Survey by being subject to at least one regulation. We asked about the scope and nature of their compliance strategies, with a focus on how that strategy impacts oversight and governance of the vendors, partners, customers, outsourcers and service providers that make up their supply chain ecosystem.

What we found might surprise you. The good news is, we asked professionals how many mandates their organizations must comply with overall, and 35% told us four or more. That seems like a lot--and it is--but compare this with the percentage who answered the same way in our June 2009 compliance survey: also 35%. In fact, when viewed as a whole, the overall number of overlapping regulations in scope within enterprises has decreased, while the number of organizations complying with only one has increased. In fact, the median number of regulations organizations have to address in 2012 is two, down from three in the 2009 survey.

But don't get too comfortable. The dynamics of compliance seem to be changing as we grant third parties access to sensitive and critical data--and with that change will inevitably come yet another shift as IT contemplates some worst-case scenarios.

What sort of damage could occur if there were a major security breach at one of these external parties? While it's easy to recognize danger at the macro level--outsourcing relationships and cloud vendors—there are numerous other ways that vendors could pose equal, or potentially even greater, risks, but where the visibility of that risk isn’t quite as transparent. This makes for a challenging state of affairs.

Fortunately, though, you can take some practical steps to uncover potential problems. A program that addresses challenges systematically can significantly lower the overall risk profile. And it may not be as difficult to implement as you might think. (R5140712)